ESB-2019.1025.2 - UPDATE [Debian] linux kernel: Multiple vulnerabilities 2019-04-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1025.2
     Several vulnerabilities have been discovered in the Linux kernel
                               2 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Existing Account            
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9213 CVE-2019-7222 CVE-2019-7221
                   CVE-2019-6974 CVE-2019-3819 CVE-2019-3701
                   CVE-2018-20511 CVE-2018-20169 CVE-2018-19985
                   CVE-2018-19824 CVE-2018-18710 CVE-2018-18690
                   CVE-2018-18281 CVE-2018-17972 CVE-2018-16884
                   CVE-2018-16862 CVE-2018-13053 CVE-2018-12896
                   CVE-2018-5953 CVE-2018-5848 CVE-2018-3639
                   CVE-2018-1998 CVE-2018-1828 CVE-2017-13305
                   CVE-2017-5753 CVE-2016-10741 

Reference:         ASB-2019.0029
                   ASB-2019.0002
                   ESB-2019.1005
                   ESB-2019.1004
                   ESB-2019.0984
                   ASB-2018.0192
                   ESB-2019.1003.2

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
   https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html

Comment: This bulletin contains two (2) advisories.

Revision History:  April  2 2019: Added regression update DLA 1731-2
                   March 28 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : linux
Version        : 3.16.64-1
CVE ID         : CVE-2016-10741 CVE-2017-5753 CVE-2017-13305 CVE-2018-3639
                 CVE-2018-5848 CVE-2018-5953 CVE-2018-12896 CVE-2018-13053
                 CVE-2018-16862 CVE-2018-16884 CVE-2018-17972 CVE-2018-18281
                 CVE-2018-18690 CVE-2018-18710 CVE-2018-19824 CVE-2018-19985
                 CVE-2018-20169 CVE-2018-20511 CVE-2019-3701 CVE-2019-3819
                 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-9213

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2016-10741

    A race condition was discovered in XFS that would result in a
    crash (BUG). A local user permitted to write to an XFS volume
    could use this for denial of service.

CVE-2017-5753

    Further instances of code that was vulnerable to Spectre variant 1
    (bounds-check bypass) have been mitigated.

CVE-2017-13305

    A memory over-read was discovered in the keys subsystem's
    encrypted key type. A local user could use this for denial of
    service or possibly to read sensitive information.

CVE-2018-3639 (SSB)

    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to
    read sensitive information from another context. In particular,
    code in a software sandbox may be able to read sensitive
    information from outside the sandbox. This issue is also known as
    Spectre variant 4.

    This update fixes bugs in the mitigations for SSB for AMD
    processors.

CVE-2018-5848

    The wil6210 wifi driver did not properly validate lengths in scan
    and connection requests, leading to a possible buffer overflow.
    On systems using this driver, a local user with the CAP_NET_ADMIN
    capability could use this for denial of service (memory corruption
    or crash) or potentially for privilege escalation.

CVE-2018-5953

    The swiotlb subsystem printed kernel memory addresses to the
    system log, which could help a local attacker to exploit other
    vulnerabilities.

CVE-2018-12896, CVE-2018-13053

    Team OWL337 reported possible integer overflows in the POSIX
    timer implementation. These might have some security impact.

CVE-2018-16862

    Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
    discovered that the cleancache memory management feature did not
    invalidate cached data for deleted files. On Xen guests using the
    tmem driver, local users could potentially read data from other
    users' deleted files if they were able to create new files on the
    same volume.

CVE-2018-16884

    A flaw was found in the NFS 4.1 client implementation. Mounting
    NFS shares in multiple network namespaces at the same time could
    lead to a user-after-free. Local users might be able to use this
    for denial of service (memory corruption or crash) or possibly
    for privilege escalation.

    This can be mitigated by disabling unprivileged users from
    creating user namespaces, which is the default in Debian.

CVE-2018-17972

    Jann Horn reported that the /proc/*/stack files in procfs leaked
    sensitive data from the kernel. These files are now only readable
    by users with the CAP_SYS_ADMIN capability (usually only root)

CVE-2018-18281

    Jann Horn reported a race condition in the virtual memory manager
    that can result in a process briefly having access to memory after
    it is freed and reallocated. A local user permitted to create
    containers could possibly exploit this for denial of service
    (memory corruption) or for privilege escalation.

CVE-2018-18690

    Kanda Motohiro reported that XFS did not correctly handle some
    xattr (extended attribute) writes that require changing the disk
    format of the xattr. A user with access to an XFS volume could use
    this for denial of service.

CVE-2018-18710

    It was discovered that the cdrom driver does not correctly
    validate the parameter to the CDROM_SELECT_DISC ioctl. A user with
    access to a cdrom device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-19824

    Hui Peng and Mathias Payer discovered a use-after-free bug in the
    USB audio driver. A physically present attacker able to attach a
    specially designed USB device could use this for privilege
    escalation.

CVE-2018-19985

    Hui Peng and Mathias Payer discovered a missing bounds check in the
    hso USB serial driver. A physically present user able to attach a
    specially designed USB device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-20169

    Hui Peng and Mathias Payer discovered missing bounds checks in the
    USB core. A physically present attacker able to attach a specially
    designed USB device could use this to cause a denial of service
    (crash) or possibly for privilege escalation.

CVE-2018-20511

    InfoSect reported an information leak in the AppleTalk IP/DDP
    implemntation. A local user with CAP_NET_ADMIN capability could
    use this to read sensitive information from the kernel.

CVE-2019-3701

    Muyu Yu and Marcus Meissner reported that the CAN gateway
    implementation allowed the frame length to be modified, typically
    resulting in out-of-bounds memory-mapped I/O writes.  On a system
    with CAN devices present, a local user with CAP_NET_ADMIN
    capability in the initial net namespace could use this to cause a
    crash (oops) or other hardware-dependent impact.

CVE-2019-3819

    A potential infinite loop was discovered in the HID debugfs
    interface exposed under /sys/kernel/debug/hid. A user with access
    to these files could use this for denial of service.

    This interface is only accessible to root by default, which fully
    mitigates the issue.

CVE-2019-6974

    Jann Horn reported a use-after-free bug in KVM. A local user
    with access to /dev/kvm could use this to cause a denial of
    service (memory corruption or crash) or possibly for privilege
    escalation.

CVE-2019-7221

    Jim Mattson and Felix Wilhelm reported a user-after-free bug in
    KVM's nested VMX implementation. On systems with Intel CPUs, a
    local user with access to /dev/kvm could use this to cause a
    denial of service (memory corruption or crash) or possibly for
    privilege escalation.

    Nested VMX is disabled by default, which fully mitigates the
    issue.

CVE-2019-7222

    Felix Wilhelm reported an information leak in KVM for x86.
    A local user with access to /dev/kvm could use this to read
    sensitive information from the kernel.

CVE-2019-9213

    Jann Horn reported that privileged tasks could cause stack
    segments, including those in other processes, to grow downward to
    address 0. On systems lacking SMAP (x86) or PAN (ARM), this
    exacerbated other vulnerabilities: a null pointer dereference
    could be exploited for privilege escalation rather than only for
    denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.64-1.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----------------------------------------------------------------------------

Package        : linux
Version        : 3.16.64-2
CVE ID         : CVE-2016-10741 CVE-2017-5753 CVE-2017-13305 CVE-2018-3639
                 CVE-2018-5848 CVE-2018-5953 CVE-2018-12896 CVE-2018-13053
                 CVE-2018-16862 CVE-2018-16884 CVE-2018-17972 CVE-2018-1828=
1
                 CVE-2018-18690 CVE-2018-18710 CVE-2018-19824 CVE-2018-1998=
5
                 CVE-2018-20169 CVE-2018-20511 CVE-2019-3701 CVE-2019-3819
                 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-9213
Debian Bug     : 925919

The linux update issued as DLA-1731-1 caused a regression in the
vmxnet3 (VMware virtual network adapter) driver.  This update corrects
that regression, and an earlier regression in the CIFS network
filesystem implementation introduced in DLA-1422-1.  For reference the
original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2016-10741

    A race condition was discovered in XFS that would result in a
    crash (BUG). A local user permitted to write to an XFS volume
    could use this for denial of service.

CVE-2017-5753

    Further instances of code that was vulnerable to Spectre variant 1
    (bounds-check bypass) have been mitigated.

CVE-2017-13305

    A memory over-read was discovered in the keys subsystem's
    encrypted key type. A local user could use this for denial of
    service or possibly to read sensitive information.

CVE-2018-3639 (SSB)

    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to
    read sensitive information from another context. In particular,
    code in a software sandbox may be able to read sensitive
    information from outside the sandbox. This issue is also known as
    Spectre variant 4.

    This update fixes bugs in the mitigations for SSB for AMD
    processors.

CVE-2018-5848

    The wil6210 wifi driver did not properly validate lengths in scan
    and connection requests, leading to a possible buffer overflow.
    On systems using this driver, a local user with the CAP_NET_ADMIN
    capability could use this for denial of service (memory corruption
    or crash) or potentially for privilege escalation.

CVE-2018-5953

    The swiotlb subsystem printed kernel memory addresses to the
    system log, which could help a local attacker to exploit other
    vulnerabilities.

CVE-2018-12896, CVE-2018-13053

    Team OWL337 reported possible integer overflows in the POSIX
    timer implementation. These might have some security impact.

CVE-2018-16862

    Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
    discovered that the cleancache memory management feature did not
    invalidate cached data for deleted files. On Xen guests using the
    tmem driver, local users could potentially read data from other
    users' deleted files if they were able to create new files on the
    same volume.

CVE-2018-16884

    A flaw was found in the NFS 4.1 client implementation. Mounting
    NFS shares in multiple network namespaces at the same time could
    lead to a user-after-free. Local users might be able to use this
    for denial of service (memory corruption or crash) or possibly
    for privilege escalation.

    This can be mitigated by disabling unprivileged users from
    creating user namespaces, which is the default in Debian.

CVE-2018-17972

    Jann Horn reported that the /proc/*/stack files in procfs leaked
    sensitive data from the kernel. These files are now only readable
    by users with the CAP_SYS_ADMIN capability (usually only root)

CVE-2018-18281

    Jann Horn reported a race condition in the virtual memory manager
    that can result in a process briefly having access to memory after
    it is freed and reallocated. A local user permitted to create
    containers could possibly exploit this for denial of service
    (memory corruption) or for privilege escalation.

CVE-2018-18690

    Kanda Motohiro reported that XFS did not correctly handle some
    xattr (extended attribute) writes that require changing the disk
    format of the xattr. A user with access to an XFS volume could use
    this for denial of service.

CVE-2018-18710

    It was discovered that the cdrom driver does not correctly
    validate the parameter to the CDROM_SELECT_DISC ioctl. A user with
    access to a cdrom device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-19824

    Hui Peng and Mathias Payer discovered a use-after-free bug in the
    USB audio driver. A physically present attacker able to attach a
    specially designed USB device could use this for privilege
    escalation.

CVE-2018-19985

    Hui Peng and Mathias Payer discovered a missing bounds check in the
    hso USB serial driver. A physically present user able to attach a
    specially designed USB device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-20169

    Hui Peng and Mathias Payer discovered missing bounds checks in the
    USB core. A physically present attacker able to attach a specially
    designed USB device could use this to cause a denial of service
    (crash) or possibly for privilege escalation.

CVE-2018-20511

    InfoSect reported an information leak in the AppleTalk IP/DDP
    implemntation. A local user with CAP_NET_ADMIN capability could
    use this to read sensitive information from the kernel.

CVE-2019-3701

    Muyu Yu and Marcus Meissner reported that the CAN gateway
    implementation allowed the frame length to be modified, typically
    resulting in out-of-bounds memory-mapped I/O writes.  On a system
    with CAN devices present, a local user with CAP_NET_ADMIN
    capability in the initial net namespace could use this to cause a
    crash (oops) or other hardware-dependent impact.

CVE-2019-3819

    A potential infinite loop was discovered in the HID debugfs
    interface exposed under /sys/kernel/debug/hid. A user with access
    to these files could use this for denial of service.

    This interface is only accessible to root by default, which fully
    mitigates the issue.

CVE-2019-6974

    Jann Horn reported a use-after-free bug in KVM. A local user
    with access to /dev/kvm could use this to cause a denial of
    service (memory corruption or crash) or possibly for privilege
    escalation.

CVE-2019-7221

    Jim Mattson and Felix Wilhelm reported a user-after-free bug in
    KVM's nested VMX implementation. On systems with Intel CPUs, a
    local user with access to /dev/kvm could use this to cause a
    denial of service (memory corruption or crash) or possibly for
    privilege escalation.

    Nested VMX is disabled by default, which fully mitigates the
    issue.

CVE-2019-7222

    Felix Wilhelm reported an information leak in KVM for x86.
    A local user with access to /dev/kvm could use this to read
    sensitive information from the kernel.

CVE-2019-9213

    Jann Horn reported that privileged tasks could cause stack
    segments, including those in other processes, to grow downward to
    address 0. On systems lacking SMAP (x86) or PAN (ARM), this
    exacerbated other vulnerabilities: a null pointer dereference
    could be exploited for privilege escalation rather than only for
    denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.64-1.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKKf5WaOgq3Tt24GAQhrlhAAzPzM2WOU2o/ZliKEvoJP3z0CTwn5RqxD
nS6ZciAJ9Tb0oGQJYpp7nWGa+W1klToA43ihwszb4dtpFU1koCDrKuNokoXxDA4S
pGtNj6a33aLeyWuVYDbT4vZsf9EzJxIq1Qpyp+Sh9ASB4U+Hyct1zJlAMyu0v5wF
g/sSJMCvMk3peE5hiuDwnLud2XHXhSD0M0xlr+NxXtfRaIyCEqGZtiFhC7Bxvwtw
BxFoKG84en7ENjfwSsOYqigaxjqkkD8/9fjZmWDoHuJBo29dDRF7DOkM48HgkCt9
eiRnVOAczM8DtPLTjnj7sPOuRkEvlUfJcqfnxBXEKdm1tIMBhB6KflH9+L7pDcFl
HAQsBMZ3ZOxq+0tKKQYtz84Ma1bmlS7Ex60H82Y2g0OG3qGbvBKOb9LvVqvd1Q7V
xtXYKpB70KnsyKN3r5W3m2iTsjHmB7oUiuZag1kLtRNo2sI7e4HUng3e1T+Nwsek
/rgo57xG+2mp8+c9eX006a8Ao0rI3s2RFxVtSCamSUSvK2fmjA5ugDcGuYgkoia3
h3XKdSOBOvdJD+5odHRxDA596+9b+VTikHjnWgKxqBJ8IHJFHHUGizGI2kX8g27L
/UPd9KafM9ge4CMBskTqOLyqMNgYNBNa6AMo41jH+qIZU2+aDpQ7c8czHS5nsXWy
fW26Dr1/3NY=
=Tzrm
-----END PGP SIGNATURE-----

« Back to bulletins